Improper Protection of Authenticity Token in OmniAuth before 1.3.2
CVE-2017-18076 · HIGH Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
Learn more about our Web Application Penetration Testing UK.